Penetration Testing Field Notes

Even when the scope is small, deliberate structure keeps engagements predictable. Here is the living checklist I follow on internships and lab environments.

1. Recon without tunnel vision

I split discovery into two passes:

1. Wide: ASN, subdomain, and service enumeration with automation (amass, naabu, nuclei).
2. Deep: Manual review of exposed panels and protocol quirks. Anything weird goes into a risk.md file for the report later.

2. Crafting useful notes

• Start a findings/<service>.md note the moment something looks suspicious.
• Capture raw requests/responses and hashes of downloaded binaries for integrity.
• Write mitigation ideas next to every finding so the eventual report is action-oriented.

3. Controlled exploitation

When I exploit something, I immediately document:

• Payload used (include encoding steps)
• Service / host context
• Privesc impact and persistence strategy

Having this detail means I can reproduce the impact on-demand for stakeholders.

4. Debrief rituals

After every engagement I grade myself on:

• Signal-to-noise ratio in reporting
• Time spent on dead ends
• Tooling friction points

This feedback loop keeps me improving faster than just hopping between random labs.